Gained root - now what?

3 posts in this topic

A couple of days ago I found a box running Arch Linux, which I thought I'd try to exploit for learning purposes. A quick nmap showed it was running an exploitable server, so I managed to get a shell - and from there I really didn't have much of a problem finally gaining root. The fact that even I could get into the box tells me that this guy did absolutely nothing to secure it.

Inside, I found out that this is a workstation, full of personal files to the user. Not of much use to me, although I saved some accounts/passwords for usable websites (thanks to saved passwords in ~/.mozilla/). I don't want to ruin this guys life in any way, so Facebook accounts etc doesn't interest me.

Now, as root, I want to make sure this box will be available to me in the future, for various purposes. Unfortunately it was obvious to me that this guy shuts down the computer at night, and he has a public dynamic IP.

  • First off, I anonymously registered an account at no-ip.org, and installed a daemon which updates the DNS-records whenever the IP changes. This enables me to at least reach his box, as long as he's not suddenly behind a firewall.
  • I setup a new account with a generic name (such as "ptd") and sudo privileges, and placed the home directory under /var/spool/<username> to ensure it's at least a bit more hidden.
  • I deleted all logs which witnessed on my activities, and replaced them with symlinks to /dev/null, to make sure that nothing was saved in the logs when/if he discovers I'm connected.
  • I renamed and moved the "/usr/bin/who"-application to "/usr/sbin/wat", so I can see him when he's logged in, while not letting him see me. My hostname shows up with that script. Is there any other way to disable that without replacing the program with a fake one compiled from scratch? Is my hostname visible anywhere else? /var/log/lastlog points to /dev/null, as well as /var/log/auth.log.
  • I installed an FTPd which can enable me to access files, or store files on his box.
  • A polipo proxy was added, to get me another way of accessing the internet "anonymously". I'm thinking about installing OpenVPN instead...
  • I also installed a keylogger which logs all physical keystrokes into a stealth file, available for me by SSH or FTP.

So, what have I missed? Any tips would be great, since I'm not very experienced in being stealth online. Of course I did all this from a WiFi-network which isn't mine, and I spoofed my MAC-address beforehand.


Share this post

Link to post
Share on other sites

Tell the owner his box is insecure.

Edited by tekio

Share this post

Link to post
Share on other sites

I suggest you tell the owner his box is unsecure, and maybe offer him some form of assistance in securing it. I would then suggest you find another aspect of the hobby for "learning purposes", or at the very least refrain from making what my lawyer would refer to as "admissions against interest" on a public online forum.

If you are looking for a learning experience, you should consider setting up your own *nix box, installing all the known security patches, and then attempting to find holes or bugs in the system. I would think that to be more challenging then simply finding a box on the net that some ignorant admin failed to properly secure.


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now